Cybersecurity in the Boardroom: Lessons learned from working with boards and senior management

Phyllis Sumner, who leads King & Spalding’s Data, Privacy & Security practice, spends more and more of her time these days counseling corporate boards and senior executives on the perils and pitfalls of data security. She explains her work and the lessons she draws from her discussions of breach prevention, emergency response, remediation and the many other data-security-related issues that are now squarely in the boardrooms of leading companies worldwide.

MCC: Describe your practice as it relates to boards and senior management on cybersecurity issues.

Sumner: I lead King & Spalding’s Data, Privacy & Security practice, which is comprised of over 60 lawyers across different practice groups. We have expanded the services of our group to include proactive compliance, reactive incident response, government investigations and litigation. As high-profile data-security incidents have grabbed headlines, the term “data breach” has entered the common lexicon. Each month brings reports of new breaches and underscores the enormous costs of response and recovery. As a result, I now spend a significant amount of my practice presenting to and counseling boards of directors, audit committees and senior management on cybersecurity, privacy governance and incident response.

Sumner: Over the last year, we have seen the old adage “an ounce of prevention is worth a pound of cure” play out in boardrooms and C suites across the country. On the one hand, corporate leaders have cybersecurity top of mind – understanding the company’s cyber risks and mitigation strategy, the chain of command for coordinating high-level strategy, day-to-day tactics and governance, and emergency response plans. On the other hand, companies still wrestle with other priorities or view themselves as unlikely targets, and they then face a cybersecurity crisis and struggle through the process.

MCC: What role does communication play in effective cybersecurity?

Sumner: Even companies that have made great strides in cybersecurity and incident-response planning can run into problems when it comes to internal communications. Companies need to ensure that IT professionals share cyber risk information with executives, and that those executives in turn share appropriate information with board members, so those who are ultimately responsible for risk management, incident response, and ensuring that the company has proper policies and procedures in place understand the current state of the company. Likewise, it is important for employees to share information about cybersecurity and security incidents across departments so that decisions are made with the best information available. A big part of the challenge is finding common ground – and a common language – that can facilitate productive and quick interactions between technically steeped information security personnel, legally oriented GCs, and business-driven executives and boards. We have been spending significant time over the past several years working with clients to develop cybersecurity frameworks and risk dashboards that IT can use to frame reports in a context that is understandable, and useful, to management in making business and legal decisions.

MCC: How important is it to plan out roles and responsibilities?

Sumner: Good governance is a prerequisite to effective cybersecurity. Years ago, the IT department was often left to manage the responsibility independently, but many of the best practices for modern cybersecurity programs require input from other stakeholders, including senior management, legal, risk management, human resources, public relations, internal auditing and operations. Proactive policies and procedures require integration among key stakeholders but also a chain of command and clear roles to maintain effectiveness. And perhaps more critically, responding to a cybersecurity incident requires defined leadership positions and effective coordination between multiple departments within an organization. Responding to cybersecurity incidents is a lot like playing football, with the board as the owner and the executives as the coaches. A response plan should define the precise roles, procedures and communication protocols for players across the organization and external on-call participants, such as outside counsel, forensic investigators and PR firms. Boards can then focus on the adequacy of the team’s preparation and play, and the coaches can focus on coordinating the moving parts and the dynamic strategy calls that have to be made along the way. Over the last few years, we have seen a rise in effective pregame practices. Companies are conducting mock drills with key participants to test the viability of their response plan and ensure that participants are familiar with their roles in the event of a cybersecurity incident.

MCC: How much of your interaction with boards and senior management involves cybersecurity education?

Sumner: Board members and senior executives want to understand their legal obligations in overseeing cybersecurity issues. And they want reports from management with the information needed to meet those obligations and to fulfill their fiduciary duties to the company. This can be daunting because most board members and senior executives are not well-versed in the technical complexities of cybersecurity. As a result, we have noticed two key trends in how boards are responding to ensure that they perform their fiduciary duties in this area. First, IT departments are experiencing increased pressure to translate technical risks into business and legal action items that are understandable to the various departments and executives. But there are many ways of building the bridge from IT to the board, and we often advise boards and senior management on updating policies and procedures to manage risks consistent with accepted best practices, industry standards, federal and state law, and guidance from regulatory authorities. We also help companies identify their key areas of business and legal risk and develop reporting models that communicate those risks to boards in an actionable manner. Second, boards and senior management want to keep up-to-date on key issues and have been bringing in a broad array of cybersecurity, legal and other experts to provide them with updates in this area.

MCC: Does a company need to consider privilege issues before and during a cybersecurity incident?

Sumner: Absolutely. As lawyers, we often have to remind ourselves that the attorney-client privilege is a bedrock principle that allows for full, frank and confidential conversations between attorneys and their clients. While the role of the privilege – as well as the attorney work product doctrine – in cybersecurity matters could be the subject of its own Q&A, suffice it to say that recent cases have started to address the boundaries of privilege in the context of cybersecurity incident response, and this trend will increase dramatically as litigation and regulatory proceedings increase in this area. The focus will be on the specifics of the communications, the role of the attorneys and so on, and we are concerned that many companies will be caught in a regulatory proceeding or litigation without having ensured that each appropriate communication withstands scrutiny.

For example, in the class action against Target for its data breach in 2013, the district court rejected a claim of attorney-client privilege for certain communications from the CEO to the board containing updates on Target’s business-related interests in response to the breach because they did not contain confidential communications between Target and its attorneys or the provision of legal advice. The court also rejected claims under the work product doctrine because the updates to the board did not reflect anticipation of litigation. By contrast, other communications involving counsel and forensic investigators were held to be protected under the attorney-client privilege and work product doctrine because they concerned inquiries from Target’s in-house and external counsel about the breach so that the attorneys could provide the company with legal advice and prepare for litigation that could reasonably be expected to follow.

MCC: You mentioned regulatory proceedings. How are regulators influencing boards and senior management?

Sumner: Regulators overseeing critical infrastructure, financial markets and the healthcare industry are publishing guidance, issuing regulations, conducting proactive assessments and investigating data breaches with increasing rigor. In addition, the FTC and state authorities, such as state attorneys general, continue to oversee the broader marketplace and are routinely pursuing companies deemed to fall short in protecting consumers’ personal information. Boards and senior management are increasingly concerned with meeting the expectations of their regulators and implementing practices that do not overextend available resources while passing muster, not only with existing regulations but with anticipated rule making and the rules of influential regulators, such as the SEC and FTC. This requires a close look at organizations’ key business and legal risks in the event of a cyberincident and the types of exposure most likely to trigger regulatory scrutiny. We have noticed a few key trends by regulators recently. As companies become better prepared to respond to security incidents, regulators are shifting focus toward proactive practices. In addition, they have been paying particular attention to specific cybersecurity practices, such as governance, written information security policies, cybersecurity frameworks, data classification and third-party risk management. In the last few years, regulators, such as the SEC and FCC, have demonstrated a willingness to exercise broad enforcement mandates in the context of cybersecurity practices. Board members and senior management are now paying closer attention to their regulators’ focus on cybersecurity, and they are gearing up for potential audits, investigations or enforcement actions regarding internal cybersecurity practices.

MCC: How important is it for a company to have cybersecurity training?

Sumner: Employee training is one of the most important practices a company can adopt to avert a cyberattack. Our experience shows that human error, such as clicking on phishing emails, is responsible for most cyberincidents, so proper employee training can go a long way in preventing data breaches. Security experts and IT departments are focusing more on the need to put effective processes in place to train employees. Boards and senior executives also have come around to understanding that effective cybersecurity involves people and processes in addition to technology, and interest in practical training has increased. The difficulty in designing a training program is that cyber risks and threats are constantly evolving, and a company needs to stay current in its employee training. Companies also need to make training programs engaging and tailored to employees, so employees understand the significance of the issue to the organization, are willing to deal with the inconveniences sometimes associated with security and return to their jobs prepared to respond to the cyberthreats they face.

Phyllis Sumner, Partner and Head of the Data, Privacy & Security practice at King & Spalding in Atlanta. psumner@kslaw.com